OSCP

The BOF on my exam was very similar to the example in the lab. Once I got the exploit working on the dev machine it worked right away on the target.

I bet he was taking a jmp esp from an OS .dll rather than the programme. Then when he tried on exam it failed because of differences in OS.

Mastering BOF is all about getting used to assembly level debugging. Single step your target, look at which point it does not execute code you expect and then find out why.

I had a similar issue on my exam. had it working on the test machine after <1 hr but wasted a further 8 hrs getting to work on the exam box, eventually found the problem. pm me if you wanna discuss.

As others mentioned, the lost time and the pressure after that was too much and i failed the exam, i felt that i could not walk away for a break and ended spending almost all of the 24hrs at the desk chasing in and spinning my wheels in full brain fog mode.

I took heart from the fact that i only just fell short and (probably one user shell away), after having 0 pts on the board after 10 hrs. Looking forward to re-taking having learnt from the experience.

@AgentTiro said:
I bet he was taking a jmp esp from an OS .dll rather than the programme. Then when he tried on exam it failed because of differences in OS.

bingo

Can anyone list the most OSCP-like machines on HTB?

One difference I’ve noticed is PWK lab machines are less like CTF puzzles and more “realistic”

@NeilSec said:
Can anyone list the most OSCP-like machines on HTB?

One difference I’ve noticed is PWK lab machines are less like CTF puzzles and more “realistic”

Good then. Received my labs access today. Cheers!

@Pratik said:

@NeilSec said:
Can anyone list the most OSCP-like machines on HTB?

One difference I’ve noticed is PWK lab machines are less like CTF puzzles and more “realistic”

Good then. Received my labs access today. Cheers!

Cool. if your HTB ratings are anything to go by, I imagine you’ll be ahead of the game.
Good luck with it.

@NeilSec said:
Can anyone list the most OSCP-like machines on HTB?

One difference I’ve noticed is PWK lab machines are less like CTF puzzles and more “realistic”

Arctic ,Devel , Solidstate and chatterbox are more or less like the labs in oscp :slight_smile: Might be some more but thats the ones i noticed.

@shellyhx said:

@NeilSec said:
Can anyone list the most OSCP-like machines on HTB?

One difference I’ve noticed is PWK lab machines are less like CTF puzzles and more “realistic”

Arctic ,Devel , Solidstate and chatterbox are more or less like the labs in oscp :slight_smile: Might be some more but thats the ones i noticed.

Thanks pal :slight_smile:

I designed some of the stuff in TartarSauce to be like an OSCP Lab machine.

And my new submission (BigHead) would go well with this post ?
Lets hope the htb gods don’t reject it ?

Painful but wonderful journey it was.

Finally I have obtained OSCP certification. Cheers!

Thank you Off Sec Team for creating such a fantastic course.

Congrats! Which boxes would you personally recommend for someone starting their OSCP journey? cough

@egotisticalSW said:
Congrats! Which boxes would you personally recommend for someone starting their OSCP journey? cough

Thanks mate. I would recommend all the retired boxes to practice but focus more on Windows machines. Tartarsuace, Chatterbox, Sunday and the machines with BOF.

Do practice buffer overflow.

I am not sure you can quantify a pass by the nature of how many boxes you have owned in htb. Imho, the difficultly with the exam is how many boxes you need to pwn in 24 hrs. If it takes you 24 hrs to get a standard OSCP box as discussed in this forum, then you might struggle to get enough points. The best thing you can do is make sure you are on point with things like DEP disabled bof. You want to be sure you can get that done in an hour or so while your enum scripts are running on the other boxes. Having different scripts ready to go will help. Also, if you find you are having to google-foo basical concepts, eg how to properly enum snmp, then you are probably not ready. You should be at a stage where you can accurately enum the most common services ftp, snmp, smb, etc, in your sleep. Mastering the common tools nmap, gobuster etc is a must. I don,t think there is a enough time to be working out “how do a run this”. Most important thing is to try and enjoy. Good luck when it comes round.

Here’s what I would suggest after taking it twice and finally passing:
Joker (sudoedit and wildcards)
Jeeves (Pass the hash)
Waldo (Local file inclusion)
Poison (Tunneling via SSH)
Celestial (Crontab privesc)

If you want more info:

Currently studying for the OSCP, and my lab time is soon expiring. I think I’ll try the exam now, but not quite sure if I should go for the exam or purchase some lab extension time.

I have rooted twenty-something boxes there, including “the big four”. I have also rooted all the domain-joined boxes, including the domain controller, and unlocked two of the three additional networks. I also feel I have BOF under control.

For those that have OSCP, what do you think? More lab time, or go for the exam?

@ghostride said:
Currently studying for the OSCP, and my lab time is soon expiring. I think I’ll try the exam now, but not quite sure if I should go for the exam or purchase some lab extension time.

I have rooted twenty-something boxes there, including “the big four”. I have also rooted all the domain-joined boxes, including the domain controller, and unlocked two of the three additional networks. I also feel I have BOF under control.

For those that have OSCP, what do you think? More lab time, or go for the exam?

I don’t have OSCP as of now. But I see like you can give a try with exam before purchasing extra lab time. At least you get to know the stuff and experience even if you fail also.

With lab time you get one more exam attempt.

@DeepinX said:
Everything I just share about the exam is already public knowledge.

Just in case someone freaks out…

Hey, I didn’t read through all the comments after this one but did you go back and use a fresh install of the Kali VM they provided you for you exam. If you update that custom VM even an “apt-get update” the BOF in the training material may not work right. I assume this is also the case for the test. Also did you check the updates and errata section for updated content on the OSCP forums? Also did you ask this question in the OSCP forum? You should still have access to it even if your lab time has run out.